This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.

The following sections describe the new features in Oracle Advanced Security:

New Features in Strong Authentication

Oracle Advanced Security provides several strong authentication options, including support for RADIUS, Kerberos, and PKI (public key infrastructure). This release provides the following new features for strong authentication:

Support for TLS (Transport Layer Security), version 1.0

TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager.

Support for Hardware Security Modules, including Oracle Wallet Manager Integration

In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a hardware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.

In the current release, you now have the option to configure certificate revocation status checking for both the client and the server. Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. The orapki utility has also been added for CRL management and for managing Oracle wallets and certificates.

New Features in Enterprise User Security

Kerberos Authenticated Enterprise Users

Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directory users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPrincipalName attribute).

In this release, a database can bind to Oracle Internet Directory by using password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databases. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.

Oracle Database recognition of standard password verifiers, which is also new in this release.

Tool Changes

New Tool: Enterprise Security Manager Console

The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security groups, and to configure identity management realm attributes in the directory that relate to Enterprise User Security.

In this release, Oracle Enterprise Login Assistant functionality has been migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:

If you usedOracle Enterprise Login Assistant to...

Then now you should use...

Change the directory-to-database password

Enterprise Security Manager Console

Change an Oracle wallet password

Oracle Wallet Manager

Enable auto login for an Oracle wallet

Oracle Wallet Manager

See Also:

The following sections for information about Enterprise Security Manager Console and how to use it: